Fixes
Denys Vlasenko
vda.linux at googlemail.com
Wed Aug 20 22:20:33 UTC 2008
On Wednesday 20 August 2008 03:35, Cristian Cadar wrote:
> Hey Denys, thanks for closing those bugs.
> The fix you pushed does indeed fix one of the bugs I reported. There's
> another invalid access though, sorry for not being clear.
>
> The problem occurs when you call envdir, setuidgid or envuidgid w/o any
> arguments:
>
> $ ./envdir
> envdir: chdir((null)): Bad address
>
> In chpst_main, argv is initially {"envdir", NULL}.
>
> 195: if ((ENABLE_CHPST && applet_name[0] == 'c')
> 196: || (ENABLE_SOFTLIMIT && applet_name[1] == 'o')
> ...
> } else {
> option_mask32 = opt = 0;
> 215: argv++;
> }
>
> // envdir?
> if (ENABLE_ENVDIR && applet_name[3] == 'd') {
> 220: env_dir = *argv++;
> opt |= OPT_e;
> }
> ...
> 237: if (!*argv)
> bb_show_usage();
>
>
> Then, argv is incremented twice: once on line 215, and once on line 220.
> Then, the dereference on line 237 accesses invalid memory.
> Also, edir(NULL) is called (line 344) which in turn incorrectly calls
> chdir(NULL).
>
> The other calls (setuidgid or envuidgid) are similar. A simple
> validation that these programs are called w/ the right number of
> arguments should solve this.
Please try this patch.
--
vda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 8.patch
Type: text/x-diff
Size: 585 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20080821/79f43b89/attachment.bin
More information about the busybox
mailing list